Re: Please Help
> Date: Thu, 17 Feb 2011 11:45:06 -0500 > From: "Lightner, Jeff" > Sender: bind-users-bounces+oberman=es@lists.isc.org > > IIRC the U.S. Government last year or the year before mandated all their > sites be DNSSEC compliant by early this year. Maybe it is just a sign > they are actually doing it. Yes, they are. As of the last report I have received, something over 50% of all .gov zones are now signed with the DS records installed in the .gov zone. Still quite a ways to go but substantial progress has been made and people with broken firewall are starting to notice. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 > -Original Message- > From: bind-users-bounces+jlightner=water@lists.isc.org > [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf > Of Ryan Novosielski > Sent: Thursday, February 17, 2011 9:54 AM > To: Xiaoxu Huang > Cc: bind-users@lists.isc.org > Subject: Re: Please Help > > Glad to hear it was a help. > > Does anyone happen to know if anything changed for .gov addresses just > last week? This problem appears to have come out of the clear blue sky > (not that there wasn't plenty of warning) so I have to assume that > something was just activated. > > On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: > > We have checked list archives and our side has increased the allowed > DNS > > packet size. Now we are fine to get correct answer for **.gov. > > > > Thanks for help and Best Regards, > > > > Xiao > > 2/17/2011 > > > > > > -Original Message- > > From: bind-users-bounces+xhuang=graphnet@lists.isc.org > > [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On > Behalf Of > > Ryan Novosielski > > Sent: Wednesday, February 16, 2011 5:47 PM > > To: bind-users@lists.isc.org > > Subject: Re: Please Help > > > > I asked this same question this week. Check the list archives. > > > > On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: > >> From couple of our DNS servers, we are failed to get correct DNS > answer > >> like followings: > > > >> 1) From server A > > > >> # nslookup > > > >> Default Server: localhost > > > >> Address: 127.0.0.1 > > > > > > > >>> www.nyc.gov > > > >> Server: localhost > > > >> Address: 127.0.0.1 > > > > > > > >> *** localhost can't find www.nyc.gov: Non-existent host/domain# > nslookup > > > > > > > >> 2) From server B: > > > >> # nslookup > > > >>> www.nyc.gov > > > >> ;; connection timed out; no servers could be reached > > > > > > > >> 3) Both servers run bind-9.7.2-P2 > > > > > > > >> Can any one help? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.3 crashing on Freebsd 7.3
Just had one of our authoritative servers crash with a similar error: 17-Feb-2011 10:28:18.814 general: critical: rbtdb.c:1566: INSIST(((unsigned int)((&(node)->references)->refs)) == 0 && node->data == ((void *)0)) failed 17-Feb-2011 10:28:18.838 general: critical: exiting (due to assertion failure) Just before that, the logs show: 7-Feb-2011 10:28:18.770 security: info: client 204.194.237.19#24246: query (cache) 'cf._dns-sd._udp.0.0.171.184.in-addr.arpa/TXT/IN' denied 17-Feb-2011 10:28:18.780 security: info: client 204.194.237.19#48606: query (cache) 'lb._dns-sd._udp.0.0.171.184.in-addr.arpa/PTR/IN' denied 17-Feb-2011 10:28:18.812 security: info: client 204.194.237.19#43987: query (cache) 'cf._dns-sd._udp.0.0.171.184.in-addr.arpa/TXT/IN' denied Not sure if it's related. This is: # named -V BIND 9.7.2-P3-RedHat-9.7.2-4.P3.uopel5 built with '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' # uname -a Linux 2.6.18-128.1.1.el5 #1 SMP Mon Jan 26 13:59:00 EST 2009 i686 i686 i386 GNU/Linux Any information would be much appreciated. Thanks, cv On Mon, Feb 14, 2011 at 5:09 AM, Joshua Frugé wrote: > > > On 02/11/2011 21:21, Terry. wrote: > >> 2011/2/11 Joshua Frugé: >> >>> running bind 9.6.3 installed from ports on Freebsd 7.3 (amd64) >>> >>> Getting this error in my local log >>> >>> 10-Feb-2011 21:12:13.711 general: rbtdb.c:1506: INSIST(((unsigned >>> int)((&(node)->references)->refs)) == 0&& node->data == ((void *)0)) >>> failed >>> >>> could you try to compile BIND from the source rather than the ports >> installation? >> >> Regards. >> >> I had to revert back to 9.6.2. Going to try to replicate the issue on a > test server and get more info. > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Please Help
IIRC the U.S. Government last year or the year before mandated all their sites be DNSSEC compliant by early this year. Maybe it is just a sign they are actually doing it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Thursday, February 17, 2011 9:54 AM To: Xiaoxu Huang Cc: bind-users@lists.isc.org Subject: Re: Please Help -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: > We have checked list archives and our side has increased the allowed DNS > packet size. Now we are fine to get correct answer for **.gov. > > Thanks for help and Best Regards, > > Xiao > 2/17/2011 > > > -Original Message- > From: bind-users-bounces+xhuang=graphnet@lists.isc.org > [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of > Ryan Novosielski > Sent: Wednesday, February 16, 2011 5:47 PM > To: bind-users@lists.isc.org > Subject: Re: Please Help > > I asked this same question this week. Check the list archives. > > On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: >> From couple of our DNS servers, we are failed to get correct DNS answer >> like followings: > >> 1) From server A > >> # nslookup > >> Default Server: localhost > >> Address: 127.0.0.1 > > > >>> www.nyc.gov > >> Server: localhost > >> Address: 127.0.0.1 > > > >> *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup > > > >> 2) From server B: > >> # nslookup > >>> www.nyc.gov > >> ;; connection timed out; no servers could be reached > > > >> 3) Both servers run bind-9.7.2-P2 > > > >> Can any one help? > > > >> Thanks and Best Regards, > > > >> Xiao > >> 2/16/2011 > > > >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La otcAoJLIkine7oyqXxix3wKRHReUa5F8 =B/pX -END PGP SIGNATURE- Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: $GENERATE for /8 networks
> Is there a way I can use $GENERATE to generate PTR records for the whole > of 10.0.0.0/8 in one line? Disclaimer: I haven't ever really bothered with $GENERATE. But by reading the BIND 9.7 ARM, it does seem to be aimed at doing the job for /24 segments, not /8. Pre-generating a static list of PTR records for a /8 isn't too tricky, by using any scripting language like Perl for example, although the generated file will probably be somewhat large. Here's a mockup of such a script, to give an example: #!/usr/bin/env perl $network = "10"; for ($bnet = 0; $bnet < 256; $bnet++) { for ($cnet = 0; $cnet < 256; $cnet++) { for ($dnet = 0; $dnet < 256; $dnet++) { print "${dnet}.${cnet}.${bnet} PTR ${network}-${bnet}-${cnet}-${dnet}.mynetwork.\n"; } } } (no, I'll not pretend it's nice code or anything) Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: $GENERATE for /8 networks
On 2/17/2011 10:20 AM, Mark Watts wrote: > > Is there a way I can use $GENERATE to generate PTR records for the whole > of 10.0.0.0/8 in one line? No. There is not. I must ask -- do you REALLY need to fill all of a /8? What is the requirement for this? AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
$GENERATE for /8 networks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there a way I can use $GENERATE to generate PTR records for the whole of 10.0.0.0/8 in one line? Mark. - -- Mark Watts BSc RHCE Senior Systems Engineer, MSS Secure Managed Hosting www.QinetiQ.com QinetiQ - Delivering customer-focused solutions GPG Key: http://www.linux-corner.info/mwatts.gpg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dPMIACgkQBn4EFUVUIO00QwCghogdCdbk1PUctY+DttSZTJhd iFMAnj30NgUq1cmVULNMTa3eZ+g1GHs6 =nG8/ -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Please Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Glad to hear it was a help. Does anyone happen to know if anything changed for .gov addresses just last week? This problem appears to have come out of the clear blue sky (not that there wasn't plenty of warning) so I have to assume that something was just activated. On 02/17/2011 09:47 AM, Xiaoxu Huang wrote: > We have checked list archives and our side has increased the allowed DNS > packet size. Now we are fine to get correct answer for **.gov. > > Thanks for help and Best Regards, > > Xiao > 2/17/2011 > > > -Original Message- > From: bind-users-bounces+xhuang=graphnet@lists.isc.org > [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of > Ryan Novosielski > Sent: Wednesday, February 16, 2011 5:47 PM > To: bind-users@lists.isc.org > Subject: Re: Please Help > > I asked this same question this week. Check the list archives. > > On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: >> From couple of our DNS servers, we are failed to get correct DNS answer >> like followings: > >> 1) From server A > >> # nslookup > >> Default Server: localhost > >> Address: 127.0.0.1 > > > >>> www.nyc.gov > >> Server: localhost > >> Address: 127.0.0.1 > > > >> *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup > > > >> 2) From server B: > >> # nslookup > >>> www.nyc.gov > >> ;; connection timed out; no servers could be reached > > > >> 3) Both servers run bind-9.7.2-P2 > > > >> Can any one help? > > > >> Thanks and Best Regards, > > > >> Xiao > >> 2/16/2011 > > > >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dNnYACgkQmb+gadEcsb7mWwCfdLFwfTkc5pxTn/lyIaEQk2La otcAoJLIkine7oyqXxix3wKRHReUa5F8 =B/pX -END PGP SIGNATURE- <>___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Please Help
We have checked list archives and our side has increased the allowed DNS packet size. Now we are fine to get correct answer for **.gov. Thanks for help and Best Regards, Xiao 2/17/2011 -Original Message- From: bind-users-bounces+xhuang=graphnet@lists.isc.org [mailto:bind-users-bounces+xhuang=graphnet@lists.isc.org] On Behalf Of Ryan Novosielski Sent: Wednesday, February 16, 2011 5:47 PM To: bind-users@lists.isc.org Subject: Re: Please Help -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I asked this same question this week. Check the list archives. On 02/16/2011 05:24 PM, Xiaoxu Huang wrote: > From couple of our DNS servers, we are failed to get correct DNS answer > like followings: > > 1) From server A > > # nslookup > > Default Server: localhost > > Address: 127.0.0.1 > > > >> www.nyc.gov > > Server: localhost > > Address: 127.0.0.1 > > > > *** localhost can't find www.nyc.gov: Non-existent host/domain# nslookup > > > > 2) From server B: > > # nslookup > >> www.nyc.gov > > ;; connection timed out; no servers could be reached > > > > 3) Both servers run bind-9.7.2-P2 > > > > Can any one help? > > > > Thanks and Best Regards, > > > > Xiao > > 2/16/2011 > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1cU/8ACgkQmb+gadEcsb5siQCfePHtptnoSYkoDpw5ge4eRYjE EdkAni7xiaBkebYvOR4MpKVmX/jpcOb0 =zWSH -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users